Ransomware groups have traditionally relied on widely available tools to execute data theft. However, the Trigona ransomware group has taken a more sophisticated approach by developing a custom data exfiltration tool. This innovation grants them enhanced precision and control over their operations.
Emergence of Trigona’s Custom Tool
First detected in late 2022, Trigona operates under a Ransomware-as-a-Service (RaaS) model, managed by the cybercrime organization Rhantus. Historically, ransomware operators have used utilities like Rclone and MegaSync for data transfer. Yet, these have become easily detectable by security systems, prompting the need for a unique solution.
The introduction of a bespoke tool indicates a growing technical capability within the group. Symantec’s Threat Hunter Team identified this shift in March 2026, noting it as a significant development in Trigona’s strategy, emphasizing their investment in proprietary malware to evade detection during critical data theft phases.
Technical Advancements and Targeting
The novel tool, dubbed “uploader_client.exe,” is a command-line utility designed to connect to an attacker-controlled server. In observed incidents, it targeted directories containing financial invoices and valuable PDF files. This specificity highlights the group’s strategic focus on high-value data extraction.
This advancement is emblematic of a broader trend where cybercriminals treat their operations with the same discipline as legitimate software projects. Organizations dealing with sensitive financial or confidential documents are increasingly at risk as these tools become more sophisticated.
Defense Evasion Strategies
Prior to deploying this custom tool, attackers meticulously dismantled the target’s defenses. Tools like HRSword, a component of the Huorong Network Security Suite, were repurposed to disable security measures. Additional utilities such as PCHunter, Gmer, YDark, and others were used to bypass protections by exploiting kernel vulnerabilities.
Remote access was facilitated using AnyDesk, while credentials were harvested through Mimikatz and similar utilities. The use of PowerRun allowed attackers to execute tasks with elevated privileges, maintaining control over the compromised systems.
The uploader_client.exe tool is optimized for speed and stealth, employing multiple parallel connections and rotating TCP connections to evade network monitoring. Its design ensures focus on high-value documents, ignoring less critical files.
Protection and Monitoring Recommendations
Organizations are advised to vigilantly monitor for unauthorized remote access tool usage such as AnyDesk. Endpoint detection systems should be configured to detect kernel-level activities, particularly from tools like PCHunter and Gmer. Keeping security software updated and monitoring network traffic for unusual patterns is crucial.
Furthermore, reviewing access permissions to sensitive documents on network drives can mitigate the risk of targeted data exfiltration. These proactive measures are essential in defending against increasingly sophisticated cyber threats.
